In general, I would make the decision based on who needed to be allowed access and who needed to control that access.
Assuming that you want to have a point of control to be in the domain where the OU and groups are, then here's what I'd do. Admins can only be from the same domain as the OU: use a domain global group. Admins can be from any domain in the forest but not from trusted domains: use a universal group. Admins can be from any trusted domain: use a domain local group. If you want to retain control over exactly who gets rights over the OU, then you use an appropriately scoped group whose membership is controlled by you and add user accounts individually. If you want to delegate the membership issue, then you can populate your group with groups from other jurisdictions. Whoever owns those groups will now have a say in who has rights. You of course still retain some control since you can still add or remove other groups or users. If you don't want to have that local control, then you could just add groups from other domains directly, but the ACLs start getting messy very quickly. Better to at least aggregate all of those into a single group to keep the ACLs clean. Wook -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Wednesday, April 19, 2006 11:22 AM To: [email protected] Subject: [ActiveDir] Domain Local Group vs Global Security Group for Delegated Permissions in AD Quick Question, I was teaching a class the other day when the question came up about what group scope should you use for delegated permissions of an OU. I was teaching an earlier class where I explained how to use Domain Local Groups on Files Shares and Printers to centralize management of these resources via AD. The question from the students was could / should they use the same principles for AD Delegation? I said no based on past experience with 3rd party delegation tools didn't like Domain Local Groups used for delegation. This got me to thinking why and wondering what you all do and why? I know this question is open ended, and depends on your domain structure etc, but I just am trying to identify a real reason to say no, only use global groups for delegation within a domain. Thanks, Todd Myrick List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
